analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://gres.czmail-oln040092069015.outbound.protection.sketchwefair-watduoliprudential.com.watchdogdns.duckdns.org/jae/user.exe

Full analysis: https://app.any.run/tasks/690aa41a-93ed-407e-9a90-93c5a16bcfd7
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: February 18, 2019, 15:45:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MD5:

4F81D1DAFE7C9C62CD4D14E22E1C1FB1

SHA1:

307E6C5E81FD8D0405B8366CFE32F5AF6277063A

SHA256:

7C79F5006A6FC929FAE8F1E05E704C5B69AA2C0C8679CDDE55659B46CA70F5A2

SSDEEP:

3:N82AMI5qzcGFKFeBhaAGRKOyqsJO1kTXCyaWi8AL0A:22UKK0haAGRVyqsQGXSWlAl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • user[1].exe (PID: 3560)
      • user[1].exe (PID: 3212)
      • vvmptj8pgfi8.exe (PID: 3508)
      • vvmptj8pgfi8.exe (PID: 2312)

    • FORMBOOK was detected

      • explorer.exe (PID: 284)

    • Changes the autorun value in the registry

      • chkdsk.exe (PID: 3280)

    • Connects to CnC server

      • explorer.exe (PID: 284)

    • Actions looks like stealing of personal data

      • chkdsk.exe (PID: 3280)

    • Formbook was detected

      • chkdsk.exe (PID: 3280)
      • Firefox.exe (PID: 2816)

    • Loads dropped or rewritten executable

      • chkdsk.exe (PID: 3280)

    • Stealing of credential data

      • cmd.exe (PID: 2428)
      • chkdsk.exe (PID: 3280)

  • SUSPICIOUS

    • Starts Internet Explorer

      • explorer.exe (PID: 284)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3256)
      • iexplore.exe (PID: 2976)
      • explorer.exe (PID: 284)
      • DllHost.exe (PID: 2644)
      • chkdsk.exe (PID: 3280)

    • Application launched itself

      • user[1].exe (PID: 3560)
      • vvmptj8pgfi8.exe (PID: 3508)

    • Starts CMD.EXE for commands execution

      • chkdsk.exe (PID: 3280)

    • Loads DLL from Mozilla Firefox

      • chkdsk.exe (PID: 3280)

    • Creates files in the user directory

      • chkdsk.exe (PID: 3280)

    • Creates files in the program directory

      • DllHost.exe (PID: 2644)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3256)

    • Application launched itself

      • iexplore.exe (PID: 2976)

    • Changes internet zones settings

      • iexplore.exe (PID: 2976)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3256)
      • iexplore.exe (PID: 2976)

    • Creates files in the user directory

      • Firefox.exe (PID: 2816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
13
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start iexplore.exe iexplore.exe user[1].exe no specs user[1].exe no specs #FORMBOOK chkdsk.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs Copy/Move/Rename/Delete/Link Object vvmptj8pgfi8.exe no specs vvmptj8pgfi8.exe no specs services.exe no specs cmd.exe

Process information

PID
CMD
Path
Indicators
Parent process
2976"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3256"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2976 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3560"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\user[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\user[1].exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3212"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\user[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\user[1].exeuser[1].exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3280"C:\Windows\System32\chkdsk.exe"C:\Windows\System32\chkdsk.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Check Disk Utility
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3500/c del "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\user[1].exe"C:\Windows\System32\cmd.exechkdsk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
284C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2816"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
chkdsk.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
61.0.2
2644C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3508"C:\Program Files\Wm628\vvmptj8pgfi8.exe"C:\Program Files\Wm628\vvmptj8pgfi8.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
5 193
Read events
2 494
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
81
Text files
14
Unknown types
4

Dropped files

PID
Process
Filename
Type
2976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabEE3C.tmp
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarEE3D.tmp
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabEE4E.tmp
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarEE4F.tmp
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab2907.tmp
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar2908.tmp
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab2938.tmp
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar2939.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
15
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
284
explorer.exe
GET
50.116.64.44:80
http://www.qskystudio.com/wa/?NVDPll=zUPmGBTcumcQ84AxUehNif7H2a8EeuFxL86ReWp2a2nL/ryaSQ0kTJ9TKLFW9a+zGTkyuQ==&Wz=H2g49vWHQZclu&sql=1
US
malicious
3256
iexplore.exe
GET
200
67.27.151.254:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.2 Kb
whitelisted
2976
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
284
explorer.exe
POST
50.116.64.44:80
http://www.qskystudio.com/wa/
US
malicious
284
explorer.exe
POST
192.64.115.176:80
http://www.skylod.com/wa/
US
malicious
284
explorer.exe
GET
200
192.64.115.176:80
http://www.skylod.com/wa/?NVDPll=4v4zjVxlCQAsyTZxYMjBQegLqvW+jDeGWAiwLvaoNiVJFn7AHBOayqRXsd7SC+lNyT6yvg==&Wz=H2g49vWHQZclu&sql=1
US
binary
323 Kb
malicious
284
explorer.exe
POST
50.116.64.44:80
http://www.qskystudio.com/wa/
US
malicious
284
explorer.exe
POST
50.116.64.44:80
http://www.qskystudio.com/wa/
US
malicious
284
explorer.exe
POST
404
192.64.115.176:80
http://www.skylod.com/wa/
US
html
288 b
malicious
284
explorer.exe
POST
192.64.115.176:80
http://www.skylod.com/wa/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2976
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
284
explorer.exe
45.39.170.155:80
www.cryptoaltex.com
EGIHosting
US
malicious
3256
iexplore.exe
8.248.113.254:80
www.download.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
3256
iexplore.exe
23.249.161.100:443
gres.czmail-oln040092069015.outbound.protection.sketchwefair-watduoliprudential.com.watchdogdns.duckdns.org
ColoCrossing
US
malicious
3256
iexplore.exe
67.27.151.254:80
www.download.windowsupdate.com
Level 3 Communications, Inc.
US
unknown
284
explorer.exe
50.116.64.44:80
www.qskystudio.com
CyrusOne LLC
US
malicious
284
explorer.exe
192.64.115.176:80
www.skylod.com
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
gres.czmail-oln040092069015.outbound.protection.sketchwefair-watduoliprudential.com.watchdogdns.duckdns.org
  • 23.249.161.100
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.download.windowsupdate.com
  • 8.248.113.254
  • 67.27.151.254
  • 67.26.139.254
  • 67.27.233.254
  • 67.27.151.126
whitelisted
www.cryptoaltex.com
  • 45.39.170.155
malicious
www.qskystudio.com
  • 50.116.64.44
malicious
www.skylod.com
  • 192.64.115.176
malicious
www.paddlepass.info
unknown
www.tv16366.info
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
7 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://gres.czmail-oln040092069015.outbound.protection.sketchwefair-watduoliprudential.com.watchdogdns.duckdns.org/jae/user.exe